File name: | 4e40f80114e5bd44a762f6066a3e56ccdc0d01ab2a18397ea12e0bc5508215b8.xlsm |
Full analysis: | https://app.any.run/tasks/70f917ce-2fff-4c03-a8b2-828080f9ac86 |
Verdict: | Malicious activity |
Analysis date: | January 22, 2019, 16:23:34 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.spreadsheetml.sheet |
File info: | Microsoft Excel 2007+ |
MD5: | 89E50D52E498C34F1E976CF9A1017A39 |
SHA1: | 1B8FE1D2194E685C0CCE2F00C33E7F069F3A4D54 |
SHA256: | 4E40F80114E5BD44A762F6066A3E56CCDC0D01AB2A18397EA12E0BC5508215B8 |
SSDEEP: | 768:+N8smH+NiXwkvscronhoVvmSOJGZmoVHshQ5SjkL5pKSCPUK1tgtIxsfG2u:+asmH+MXtshoV+XNot2QEjkL5pK0Kstw |
.xlsm | | | Excel Microsoft Office Open XML Format document (with Macro) (50.8) |
---|---|---|
.xlsx | | | Excel Microsoft Office Open XML Format document (30) |
.zip | | | Open Packaging Conventions container (15.4) |
.zip | | | ZIP compressed archive (3.5) |
AppVersion: | 15.03 |
---|---|
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
Company: | - |
TitlesOfParts: | Sheet1 |
HeadingPairs: |
|
ScaleCrop: | No |
DocSecurity: | None |
Application: | Microsoft Excel |
ModifyDate: | 2018:12:23 05:45:43Z |
CreateDate: | 2006:09:16 00:00:00Z |
LastModifiedBy: | - |
Creator: | - |
---|
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 1087 |
ZipCompressedSize: | 367 |
ZipCRC: | 0x513599ac |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0006 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3012 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
2712 | regsvr32.exe /s /n /u /i:C:\Users\admin\AppData\Local\Temp\12-B-366.txt scrobj.dll | C:\Windows\system32\regsvr32.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft(C) Register Server Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2992 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -exec bypass -File C:\Users\admin\AppData\Local\Temp\WINDOWSTEMP.ps1 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | regsvr32.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3032 | "C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\WindowsTemplate.exe" | C:\Program Files\Notepad++\notepad++.exe | explorer.exe | |
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: Notepad++ : a free (GNU) source code editor Exit code: 0 Version: 7.51 | ||||
2900 | "C:\Program Files\Notepad++\updater\gup.exe" -v7.51 | C:\Program Files\Notepad++\updater\gup.exe | notepad++.exe | |
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: GUP : a free (LGPL) Generic Updater Exit code: 0 Version: 4.1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3012 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR6B4D.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2992 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ND7M44W662NISEMA79IT.temp | — | |
MD5:— | SHA256:— | |||
3012 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:AEAD59D4EF1CBDB5F7B198D056E8CDB8 | SHA256:D3F5B1A4F19E2062FB398F25C319EBE2A7292B9B5A6091F46F40B2901CF91B31 | |||
3032 | notepad++.exe | C:\Users\admin\AppData\Roaming\Notepad++\config.xml | xml | |
MD5:A79016A52C41874AA8F48CD0AE60DCD1 | SHA256:956EF756518DD8F94B814C36E92057FB57651F04B8D4A0187AA95B872B60BF10 | |||
3012 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\12-B-366.txt | xml | |
MD5:EB14CD00A3A16080D6169462FC0CFA85 | SHA256:DCB05307C0FC1C521FA84E666E0747AA139A941D8D8CB1EBF3279041220DF962 | |||
2992 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:6073B6FC66D2E68644893344F6904E4A | SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3 | |||
2992 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF24789b.TMP | binary | |
MD5:6073B6FC66D2E68644893344F6904E4A | SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3 | |||
3012 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\4e40f80114e5bd44a762f6066a3e56ccdc0d01ab2a18397ea12e0bc5508215b8.xlsm.LNK | lnk | |
MD5:2E59DC8BE4BDAD09984C60A9012F9E82 | SHA256:4B2640F002B948D296F738EB29EAD01CD7E12F42867C9D8C83DC6A384523F741 | |||
3012 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\WINDOWSTEMP.ps1 | text | |
MD5:F415D712D93850EE00C43A0C8CE34C03 | SHA256:9C8E3FF4D96B3D52CD4EB8FD6BD7409ABFC9C0BD93679242B5ABAC594EBD93C8 | |||
2992 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk | lnk | |
MD5:4E94729A2DA1C6DEA3F5E7B26F545261 | SHA256:CD0B2900689694CAC2A4AEAA932BA6545713F1018DF1ACF8F1A1CE99CF348438 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 2.16.106.50:80 | http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEAXk3DuUOKs7hZfLpqGYUOM%3D | unknown | der | 727 b | whitelisted |
— | — | GET | 200 | 2.16.106.50:80 | http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEBPqKHBb9OztDDZjCYBhQzY%3D | unknown | der | 471 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 2.16.106.50:80 | ocsp.usertrust.com | Akamai International B.V. | — | whitelisted |
2900 | gup.exe | 37.59.28.236:443 | notepad-plus-plus.org | OVH SAS | FR | whitelisted |
Domain | IP | Reputation |
---|---|---|
notepad-plus-plus.org |
| whitelisted |
ocsp.usertrust.com |
| whitelisted |
Process | Message |
---|---|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | 42C4C5846BB675C74E2B2C90C69AB44366401093
|